Jump to content
Welcome to our new Citrix community!

Bind Advanced Authentication Policy to NetScaler Gateway Virtual Servers


Björn Schläfli

Recommended Posts

Hi,

 

beginning with Netscaler 12.0 build higher 56.20 some classic expressions and policies are deprecated. In 56.20 I use a basic authentication policy for radius (ns_true) which is bound to the Netscaler gateway virtual server. With newer versions this policy is unbound and I can't bind it because it's deprecated. I've created an advanced authentication radius policy (expression TRUE) but I can't find any option to bind this advanced policy to my virtual Netscaler gateway server (only advanced authentication saml is possible).

How am I able to bind an advanced radius authentication policy to a virtual gateway server?

Do I need to configure radius otherwise now?

Link to comment
Share on other sites

Today, you have to bind Advanced Authentication Policies to a AAA vServer, and then link the AAA vServer to the Gateway using an Authentication Profile. This is also called nFactor. But it requires NetScaler ADC Enterprise Edition.

 

I hope Citrix provides a solution for ADC Standard Edition before they get rid of Classic authentication policies.

  • Like 3
Link to comment
Share on other sites

Are you doing multi-factor authentication? If so, then you might need to store the user's AD password in an HTTP/AAA attribute number and then configure a Traffic Policy to submit the password to StoreFront. My nFactor article details this.

 

Also, check StoreFront Server > Event Viewer > Applications and Services > Citrix Delivery Services for errors.

Link to comment
Share on other sites

I have a login page with a drop down (created with Portal Theme and rewrite policy & action), because we wanted a single url where user's could choose the needed environment in drop down and therefore be redirected to the correspondent XenApp site.  It's working with build 56.20 and basic auth policy. 

Link to comment
Share on other sites

  • 5 weeks later...

Just spent a couple of hours trying to see how I can bind an advanced policy to a vServer after creating a basic one and seeing the deprecated note so I thought I would create the advanced as suggested. No matter what I did and where I looked I could not find how to bind it.

Then I came across this. Seems it's not possible with a Standard License as the advanced policy section is not available. So why deprecate a feature in one license version only to replace with a feature that is only available in a higher license level? An oversight or a shifty way to get folk to upgrade :-)

 

Back to basic policies for now then.

Link to comment
Share on other sites

  • 4 months later...
  • 1 year later...

Quick update for 2020. Oddly, even with our newly acquired Premium VPX license you still can't create, much less bind an advanced authentication policy directly to gateway virtual server on ADC 13.0. There's no option for advanced. It will only accept classic policies. As best I can tell the only way to use advanced policies is still to use nFactor, which is only supported on Advanced and Premium licenses. Entering a classical authentication policy now results in explicitly telling me the will be removed in the next release. "Classic authentication policies are deprecated and will be removed in release 13.1. Please use advanced authentication policies (i.e. add/set authentication policy)" Obviously this is concerning.

 

I had a ticket open with Citrix for a few days, and after a gotomeeting session and reviewing what I was seeing, I was ultimately told not to worry about it. "The warning you were seeing was just a mere warning. It will  not impact your policy if you upgrade the version." Hopefully that continues to be the case.

 

I was able to create advanced session polices this time around, it's just the authentication policies that are a problem. My hope and current assumption is that the message only applies to other areas (like session policies), does not apply to authentication polices, and the devs just opted to (intentionally or not) put the same warning on all instances of classic policy creation, even if it does not apply to that specific policy group. I just wish I could find this clearly documented somewhere.

 

It looks like they typically release new versions between April and June, so I may just wait until 13.1 comes out before finalizing this config and putting this new server into production. That way in case something changes, we're not unpleasantly surprised.

  • Like 1
Link to comment
Share on other sites

  • 1 month later...
  • 1 month later...
  • 7 months later...
On 4/3/2020 at 6:55 PM, Joe Roberts said:

Quick update for 2020. Oddly, even with our newly acquired Premium VPX license you still can't create, much less bind an advanced authentication policy directly to gateway virtual server on ADC 13.0. There's no option for advanced. It will only accept classic policies. As best I can tell the only way to use advanced policies is still to use nFactor, which is only supported on Advanced and Premium licenses. Entering a classical authentication policy now results in explicitly telling me the will be removed in the next release. "Classic authentication policies are deprecated and will be removed in release 13.1. Please use advanced authentication policies (i.e. add/set authentication policy)" Obviously this is concerning.

 

I had a ticket open with Citrix for a few days, and after a gotomeeting session and reviewing what I was seeing, I was ultimately told not to worry about it. "The warning you were seeing was just a mere warning. It will  not impact your policy if you upgrade the version." Hopefully that continues to be the case.

 

I was able to create advanced session polices this time around, it's just the authentication policies that are a problem. My hope and current assumption is that the message only applies to other areas (like session policies), does not apply to authentication polices, and the devs just opted to (intentionally or not) put the same warning on all instances of classic policy creation, even if it does not apply to that specific policy group. I just wish I could find this clearly documented somewhere.

 

It looks like they typically release new versions between April and June, so I may just wait until 13.1 comes out before finalizing this config and putting this new server into production. That way in case something changes, we're not unpleasantly surprised.

 

Hello, 

Thank you for the explanations you gave us, it helped me a lot ! 

Fred

Link to comment
Share on other sites

  • 6 months later...
On 2/3/2021 at 1:36 PM, Felipe Albuquerque1709153149 said:

Any news regarding this situation for Standard ADC?

Yes.

 

Starting from release 13.0 build 67.x, nFactor authentication is supported with Standard license only for Gateway/VPN virtual server. For more information about nFactor authentication with Citrix Gateway, see nFactor for Gateway Authentication.

 

https://docs.citrix.com/en-us/citrix-gateway/current-release/authentication-authorization/nfactor-for-gateway-authentication.html#create-a-gateway-virtual-server-for-nfactor-authentication-in-citrix-adc-standard-license

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...